The bwfm(4) driver now
provides more accurate device configuration information to userland.

Added new routing socket message RTM_80211INFO to provide details
of 802.11 interface state changes to
dhclient(8) and
route(8).

If an auto-join list is configured, wireless interfaces will no longer
connect to unknown open networks by default. This behaviour must
now be explicitly enabled by adding the empty network name to the
auto-join list, e.g. ifconfig iwm0 join "", or join ""
in hostname.if files.

The iwn(4) and
iwm(4) drivers will now
automatically try to connect to a network if the radio kill switch is
toggled to allow radio transmissions while the interface is marked UP.

unveil(2) has been
improved to understand and find covering unveil matches above the
working directory of the running process for relative path accesses.
As a result many programs now can use unveil in broad ways such as
unveil("/", "r").

ROP mitigations in clang(1)
have been improved, resulting in a significant decrease in the number
of polymorphic ROP gadgets in binaries on i386/amd64.

RETGUARD performance and security has been improved in
clang(1)
by keeping data on registers instead of on the stack when possible,
and lengthening the epilogue trapsled on amd64 to consume the rest
of the cache line before the return.

RETGUARD replaces the stack protector on amd64 and arm64,
since RETGUARD instruments every function that returns and provides
better security properties than the traditional stack protector.

ssh(1): Allow "PKCS11Provider=none" to override later instances of
the PKCS11Provider directive in ssh_config; bz#2974

sshd(8): Add a log message for situations where a connection is
dropped for attempting to run a command but a sshd_config
ForceCommand=internal-sftp restriction is in effect; bz#2960

ssh(1): When prompting whether to record a new host key, accept
the key fingerprint as a synonym for "yes". This allows the user
to paste a fingerprint obtained out of band at the prompt and
have the client do the comparison for you.

scp(1), sftp(1): Accept -J option as an alias to ProxyJump on
the scp and sftp command-lines.

ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v"
command-line flags to increase the verbosity of output; pass
verbose flags though to subprocesses, such as ssh-pkcs11-helper
started from ssh-agent.

ssh-add(1): Add a "-T" option to allowing testing whether keys in
an agent are usable by performing a signature and a verification.

sftp-server(8): Add a "lsetstat@openssh.com" protocol extension
that replicates the functionality of the existing SSH2_FXP_SETSTAT
operation but does not follow symlinks. bz#2067

sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request
they do not follow symlinks.

sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes
the connection 4-tuple available to PAM modules that wish to use
it in decision-making. bz#2741

sshd(8): Fix two race conditions related to SIGHUP daemon restart.
Remnant file descriptors in recently-forked child processes could
block the parent sshd's attempt to listen(2) to the configured
addresses. Also, the restarting parent sshd could exit before any
child processes that were awaiting their re-execution state had
completed reading it, leaving them in a fallback path.

ssh(1): Fix stdout potentially being redirected to /dev/null when
ProxyCommand=- was in use.

sshd(8): Avoid sending SIGPIPE to child processes if they attempt
to write to stderr after their parent processes have exited;
bz#2071

ssh(1): Fix bad interaction between the ssh_config ConnectTimeout
and ConnectionAttempts directives - connection attempts after the
first were ignoring the requested timeout; bz#2918

ssh-keyscan(1): Return a non-zero exit status if no keys were
found; bz#2903

sshd(8): Fix confusion between ClientAliveInterval and time-based
RekeyLimit that could cause connections to be incorrectly closed.
bz#2757

ssh(1), ssh-add(1): Correct some bugs in PKCS#11 token PIN
handling at initial token login. The attempt to read the PIN
could be skipped in some cases, particularly on devices with
integrated PIN readers. This would lead to an inability to
retrieve keys from these tokens. bz#2652

ssh(1), ssh-add(1): Support keys on PKCS#11 tokens that set the
CKA_ALWAYS_AUTHENTICATE flag by requring a fresh login after the
C_SignInit operation. bz#2638

ssh(1): Improve documentation for ProxyJump/-J, clarifying that
local configuration does not apply to jump hosts.

ssh(1), sshd(8): be more strict in processing protocol banners,
allowing \r characters only immediately before \n.

Various: fix a number of memory leaks, including bz#2942 and
bz#2938

scp(1), sftp(1): fix calculation of initial bandwidth limits.
Account for bytes written before the timer starts and adjust the
schedule on which recalculations are performed. Avoids an initial
burst of traffic and yields more accurate bandwidth limits;
bz#2927

sshd(8): Only consider the ext-info-c extension during the initial
key eschange. It shouldn't be sent in subsequent ones, but if it
is present we should ignore it. This prevents sshd from sending a
SSH_MSG_EXT_INFO for REKEX for buggy these clients. bz#2929

ssh-keygen(1): Clarify manual that ssh-keygen -F (find host in
authorized_keys) and -R (remove host from authorized_keys) options
may accept either a bare hostname or a [hostname]:port combo.
bz#2935

ssh(1): Don't attempt to connect to empty SSH_AUTH_SOCK; bz#2936

sshd(8): Silence error messages when sshd fails to load some of
the default host keys. Failure to load an explicitly-configured
hostkey is still an error, and failure to load any host key is
still fatal. pr/103

ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is
started with ControlPersist; prevents random ProxyCommand output
from interfering with session output.

ssh(1): The ssh client was keeping a redundant ssh-agent socket
(leftover from authentication) around for the life of the
connection; bz#2912

sshd(8): Fix bug in HostbasedAcceptedKeyTypes and
PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types
were specified, then authentication would always fail for RSA keys
as the monitor checks only the base key (not the signature
algorithm) type against *AcceptedKeyTypes. bz#2746

ssh(1): Request correct signature types from ssh-agent when
certificate keys and RSA-SHA2 signatures are in use.

Quick installer information for people familiar with OpenBSD, and the use of
the "disklabel -E" command.
If you are at all confused when installing OpenBSD, read the relevant
INSTALL.* file as listed above!

OpenBSD/alpha:

Write floppy65.fs or floppyB65.fs (depending on your machine)
to a diskette and enter boot dva0.
Refer to INSTALL.alpha for more details.

Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.

OpenBSD/amd64:

If your machine can boot from CD, you can write install65.iso or
cd65.iso to a CD and boot from it.
You may need to adjust your BIOS options first.

If your machine can boot from USB, you can write install65.fs or
miniroot65.fs to a USB stick and boot from it.

If you can't boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in the included
INSTALL.amd64 document.

If you are planning to dual boot OpenBSD with another OS, you will need to
read INSTALL.amd64.

OpenBSD/arm64:

Write miniroot65.fs to a disk and boot from it after connecting
to the serial console. Refer to INSTALL.arm64 for more details.

OpenBSD/armv7:

Write a system specific miniroot to an SD card and boot from it after connecting
to the serial console. Refer to INSTALL.armv7 for more details.

OpenBSD/hppa:

Boot over the network by following the instructions in INSTALL.hppa or the
hppa platform page.

OpenBSD/i386:

If your machine can boot from CD, you can write install65.iso or
cd65.iso to a CD and boot from it.
You may need to adjust your BIOS options first.

If your machine can boot from USB, you can write install65.fs or
miniroot65.fs to a USB stick and boot from it.

If you can't boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in
the included INSTALL.i386 document.

If you are planning on dual booting OpenBSD with another OS, you will need to
read INSTALL.i386.

OpenBSD/landisk:

Write miniroot65.fs to the start of the CF
or disk, and boot normally.

OpenBSD/loongson:

Write miniroot65.fs to a USB stick and boot bsd.rd from it
or boot bsd.rd via tftp.
Refer to the instructions in INSTALL.loongson for more details.

OpenBSD/luna88k:

Copy `boot' and `bsd.rd' to a Mach or UniOS partition, and boot the bootloader
from the PROM, and then bsd.rd from the bootloader.
Refer to the instructions in INSTALL.luna88k for more details.

OpenBSD/macppc:

Burn the image from a mirror site to a CDROM, and power on your machine
while holding down the C key until the display turns on and
shows OpenBSD/macppc boot.

Alternatively, at the Open Firmware prompt, enter boot cd:,ofwboot
/6.5/macppc/bsd.rd

OpenBSD/octeon:

After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
Refer to the instructions in INSTALL.octeon for more details.

OpenBSD/sgi:

To install, burn cd65.iso on a CD-R, put it in the CD drive of your
machine and select Install System Software from the System Maintenance
menu. Indigo/Indy/Indigo2 (R4000) systems will not boot automatically from
CD-ROM, and need a proper invocation from the PROM prompt.
Refer to the instructions in INSTALL.sgi for more details.

If your machine doesn't have a CD drive, you can setup a DHCP/tftp network
server, and boot using "bootp()/bsd.rd.IP##" using the kernel matching your
system type. Refer to the instructions in INSTALL.sgi for more details.

OpenBSD/sparc64:

Burn the image from a mirror site to a CDROM, boot from it, and type
boot cdrom.

If this doesn't work, or if you don't have a CDROM drive, you can write
floppy65.fs or floppyB65.fs
(depending on your machine) to a floppy and boot it with boot
floppy. Refer to INSTALL.sparc64 for details.

Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.

You can also write miniroot65.fs to the swap partition on
the disk and boot with boot disk:b.

If nothing works, you can boot over the network as described in INSTALL.sparc64.

How to upgrade

If you already have an OpenBSD 6.4 system, and do not want to reinstall,
upgrade instructions and advice can be found in the
Upgrade Guide.

Notes about the source code

src.tar.gz contains a source archive starting at /usr/src.
This file contains everything you need except for the kernel sources,
which are in a separate archive.
To extract:

# mkdir -p /usr/src
# cd /usr/src
# tar xvfz /tmp/src.tar.gz

sys.tar.gz contains a source archive starting at /usr/src/sys.
This file contains all the kernel sources you need to rebuild kernels.
To extract:

# mkdir -p /usr/src/sys
# cd /usr/src
# tar xvfz /tmp/sys.tar.gz

Both of these trees are a regular CVS checkout. Using these trees it
is possible to get a head-start on using the anoncvs servers as
described here.
Using these files
results in a much faster initial CVS update than you could expect from
a fresh checkout of the full OpenBSD source tree.

Ports Tree

A ports tree archive is also provided. To extract:

# cd /usr
# tar xvfz /tmp/ports.tar.gz

Go read the ports page
if you know nothing about ports
at this point. This text is not a manual of how to use ports.
Rather, it is a set of notes meant to kickstart the user on the
OpenBSD ports system.

The ports/ directory represents a CVS checkout of our ports.
As with our complete source tree, our ports tree is available via
AnonCVS.
So, in order to keep up to date with the -stable branch, you must make
the ports/ tree available on a read-write medium and update the tree
with a command like: